Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-3598

Unprivileged users can receive messages from a protected topic when using wildcards in destination

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.0, 5.5.1
    • 5.12.0
    • Broker
    • OS: Mac OS X 10.6.8
      JRE/JDK: 1.6.0_29
      ActiveMQ: 5.5.0

    Description

      A consumer can receive messages from protected queues/topics if he uses a Destination which contains a wildcard as described here:

      Destination queue = new ActiveMQQueue("messages.>");
      Destination topic = new ActiveMQTopic(">");
      

      We are using the default authentication/authorization system as described in Security Authentication/Authorization with the following configuration:

      broker.xml
      <plugins>
          <simpleAuthenticationPlugin>
              <users>
                  <authenticationUser
                        username="admin"
                        password="admin"
                        groups="admins"/>
                  <authenticationUser
                        username="user"
                        password="user"
                        groups="users"/>
              </users>
          </simpleAuthenticationPlugin>
          <authorizationPlugin>
              <map>
                  <authorizationMap>
                      <authorizationEntries>
                          <authorizationEntry topic="messages.>"
                                              read="admins"
                                              write="admins"
                                              admin="admins"/>
                          <authorizationEntry topic="messages.cat2"
                                              read="admins"
                                              write="admins"
                                              admin="admins"/>
                          <authorizationEntry topic="messages.cat1"
                                              read="admins, users"
                                              write="admins, users"
                                              admin="admins, users"/>
                          <authorizationEntry topic="ActiveMQ.Advisory.>"
                                              read="admins, users"
                                              write="admins, users"
                                              admin="admins, users"/>
                      </authorizationEntries>
                  </authorizationMap>
              </map>
          </authorizationPlugin>
      </plugins>
      

      As exepected, clients connecting as "user" to the topic "messages.cat2" get an exception ("User user is not authorized to read from: topic://messages.cat2"). Suprisingly "user" can receive messages from topic "messages.cat2" if he creates a consumer with the destination "messages.>":

      consumer.java
      final Destination destination = new ActiveMQTopic("messages.>");
      final Connection conn = new ActiveMQConnectionFactory("user", "user", BROKER_URL).createConnection();
      final Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
      final MessageConsumer consumer = session.createConsumer(destination);
      conn.start();
      closure.run();
      final Message message = consumer.receive(TIMEOUT);
      session.close();
      conn.close(); 
      

      IMHO this behaviour is a security problem as an unprivileged user can receive messages from a protected topic or queue!

      Attachments

        1. AMQ-3598.patch
          16 kB
          Torsten Mielke
        2. ActiveMQAuthorizationBug.zip
          7 kB
          Thorsten Panitz

        Activity

          People

            Unassigned Unassigned
            panitz Thorsten Panitz
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: